| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
krb5-config from the host platform needs to be added to PATH so it can be run
during build. This works because krb5-config is a platform independent
shell-script. Before #100906, krb5-config was not used, so we didn't run into
this problem.
|
|
openssh: fix static build
|
|
|
|
|
|
|
|
Fixes CVE-2020-15778, CVE-2020-14145
|
|
|
|
|
|
compile openssh_hpn with recent openssl
|
|
libselinux pulls in openssh transitively, so can’t use fido here
Fixes #89246
|
|
|
|
fix build failure
|
|
https://www.openssh.com/txt/release-8.2
add libfido2 to enable hardware tokens support added in this release
|
|
Hydra build is failing[1] because of a hash-mismatch of the gss-api
patch from debian.
I updated the patch, and activated the `autoreconfHook` when building
gss support as well, otherwise the build would fail with the following
error:
```
ERROR: configure is out of date; please run autoreconf (and configure)
```
[1] https://hydra.nixos.org/build/109409845
|
|
While 9fe10288f01984963faf47e21bf1bae4d7d37962 ensured that the
ssh-keysign path is searched for in PATH if not absolute,
it doesn't prevent the configure script from defaulting to an
absolute path in $out/libexec, making the whole effort rather
pointless.
|
|
We're hoping to deprecate HPN support, given that as far as we
can tell, nobody is using it, and the patches seem rather unmaintained.
|
|
https://www.openwall.com/lists/oss-security/2019/04/18/1
|
|
treewide replacement of
stdenv.mkDerivation rec {
name = "*-${version}";
version = "*";
to pname
|
|
ssh-keysign is used for host-based authentication, and is designed to be used
as SUID-root program. OpenSSH defaults to referencing it from libexec, which
cannot be made SUID in Nix.
|
|
|
|
|
|
added openssh_gssapi to make it easier to test the patched version
the HPN edition isn't available on top of 7.9p1 yet
fix-host-key-algorithms-plus.patch didn't apply anymore, assuming it's
fixed.
release notes: https://www.openssh.com/txt/release-7.9
|
|
Close #48031, fixes #48016. I didn't use the PR commit
because I think it's better to fetch the patch.
|
|
|
|
Release notes at https://www.openssh.com/txt/release-7.7;
primarily bugfixes.
Update ssh-hpn as well.
Switch to salsa.debian.org (from anonscm.debian.org).
|
|
|
|
This reverts commit 09696e32c390c232ec7ac506df6457fb93c1f536.
which reverted f596aa0f4a35f613422f85a4486e32ea20ca7739
to move it to staging
|
|
This reverts commit a232dd66ee0b390dc4d82858af7e15713bd60327.
Moving to staging
|
|
This can be disabled with the `withKerberos` flag if desired.
Make the relevant assertions lazy,
so that if an overlay is used to set kerberos to null,
a later override can explicitly set `withKerberos` to false.
Don't build with GSSAPI by default;
the patchset is large and a bit hairy,
and it is reasonable to follow upstream who has not merged it
in not enabling it by default.
|
|
openssh: 7.5p1 -> 7.6p1
|
|
Release notes are available at https://www.openssh.com/txt/release-7.6.
Mostly a bugfix release, no major backwards-incompatible changes.
|
|
Only acts on one-line dependency lists.
|
|
|
|
* pkgs: refactor needless quoting of homepage meta attribute
A lot of packages are needlessly quoting the homepage meta attribute
(about 1400, 22%), this commit refactors all of those instances.
* pkgs: Fixing some links that were wrongfully unquoted in the previous
commit
* Fixed some instances
|
|
Commit 093cc00cdd9d8cf31ecce5bc1dd3645c460a1b98, sets the LD environment
variable by default, but this confuses the openssh Makefile because `configure'
does not respect it.
|
|
http://hydra.nixos.org/build/53993444
|
|
Close #23990.
|
|
Release notes are available at https://www.openssh.com/txt/release-7.5.
Mostly a bugfix release, no major backwards-incompatible changes.
Remove deprecated `UsePrivilegeSeparation` option,
which is now mandatory.
|
|
Only building was tested.
|
|
This reverts commit 661b5a9875cbc37310da5ee53b47a1d121bb5660.
|
|
This reverts commit 277080fea0d2cf5017e4179a23e370307502c677.
I had tested the server on my physical machine before pushing,
but the openssh test got broken so something is clearly wrong.
http://hydra.nixos.org/build/45500080
|
|
The two removed patches were for issues that should've been fixed.
Minor vulnerabilities addressed: CVE-2016-{10009,10010,10011,10012}.
https://www.openssh.com/txt/release-7.4
|
|
Also add myself as a maintainer.
|
|
|
|
These add a singleton list of a package to buildInputs.
|
|
|
|
|
|
Also remove patch for CVE-2015-8325 that has been fixed upstream.
|
|
|
|
(This is a rewritten version of the reverted commit
a927709a35cee56f878f0f57a932e1a6e2ebe23b, that disables the creation of
/var/empty during build so that sandboxed builds also works. For more
context, see https://github.com/NixOS/nixpkgs/pull/16966)
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:
fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.
The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
|
